From 14fafdfa4acede41e9d4c0399df90c50af1811fc Mon Sep 17 00:00:00 2001 From: daiao <358551898@qq.com> Date: Fri, 27 Mar 2020 09:52:02 +0800 Subject: [PATCH] =?UTF-8?q?xss=E6=B3=A8=E5=85=A5=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/helpers/application_helper.rb | 13 +++++++++++++ app/views/discusses/_discuss.json.jbuilder | 2 +- app/views/memos/_memo.json.jbuilder | 2 +- app/views/memos/_replies_list.json.jbuilder | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index dbdcaea40..64c2f6e9f 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -10,6 +10,19 @@ module ApplicationHelper ONE_YEAR = 12 * ONE_MONTH + # xss共计问题 + def content_safe content + tags = %w( + a abbr b bdo blockquote br caption cite code col colgroup dd del dfn dl + dt em figcaption figure h1 h2 h3 h4 h5 h6 hgroup i img ins kbd li mark + ol p pre q rp rt ruby s samp small strike strong sub sup table tbody td + tfoot th thead time tr u ul var wbr div span + ) + attributes = %w(href src width height alt cite datetime title class name xml:lang abbr style) + sanitize content, tags: tags, attributes: attributes + end + + # 全局参数配置 def edu_setting name EduSetting.get(name) diff --git a/app/views/discusses/_discuss.json.jbuilder b/app/views/discusses/_discuss.json.jbuilder index 400798150..5244414f9 100644 --- a/app/views/discusses/_discuss.json.jbuilder +++ b/app/views/discusses/_discuss.json.jbuilder @@ -2,7 +2,7 @@ json.author do json.partial! 'users/user', user: discuss.user end json.id discuss.id -json.content discuss.content +json.content content_safe(discuss.content) json.time time_from_now(discuss.created_at) json.position discuss.position json.shixun_id discuss.dis_id diff --git a/app/views/memos/_memo.json.jbuilder b/app/views/memos/_memo.json.jbuilder index a09b7f293..a9c430017 100644 --- a/app/views/memos/_memo.json.jbuilder +++ b/app/views/memos/_memo.json.jbuilder @@ -3,7 +3,7 @@ json.memo do json.forum_id memo.forum_id json.subject memo.subject json.is_md memo.is_md - json.content memo.content + json.content content_safe(memo.content) json.sticky memo.sticky json.reward memo.reward json.viewed_count memo.viewed_count diff --git a/app/views/memos/_replies_list.json.jbuilder b/app/views/memos/_replies_list.json.jbuilder index 9ec6976c2..b9edd1865 100644 --- a/app/views/memos/_replies_list.json.jbuilder +++ b/app/views/memos/_replies_list.json.jbuilder @@ -1,5 +1,5 @@ json.id memo.id -json.content memo.content +json.content content_safe(memo.content) json.time time_from_now(memo.created_at) json.user_id memo.author_id json.image_url url_to_avatar(memo.author)